EJB Bad Practices: Use of Synchronization Primitives

Draft Variant

Structure: Simple

Description

This vulnerability occurs when an Enterprise JavaBeans (EJB) component improperly uses thread synchronization primitives, violating the EJB specification's design principles.

Extended Description

The EJB specification explicitly prohibits the use of thread synchronization mechanisms like synchronized blocks or locks within enterprise beans. This rule exists because the container, not the developer, must manage concurrency and threading to ensure predictable behavior across different deployment environments. Violating this guideline creates portability risks. Some EJB containers run all bean instances in a single Java Virtual Machine (JVM), while others distribute them across multiple JVMs. Relying on synchronization primitives assumes a single JVM, which can lead to race conditions, deadlocks, or inconsistent behavior when the application is deployed to a compliant, distributed container.

Common Consequences 1

Scope: Other

Impact: Quality Degradation

Potential Mitigations 1

Phase: Implementation

Do not use Synchronization Primitives when writing EJBs.

Demonstrative Examples 1

In the following Java example a Customer Entity EJB provides access to customer information in a database for a business application.

Code Example:Bad
Java
java

However, the customer entity EJB uses the synchronized keyword for the set methods to attempt to provide thread safe synchronization for the member variables. The use of synchronized methods violate the restriction of the EJB specification against the use synchronization primitives within EJBs. Using synchronization primitives may cause inconsistent behavior of the EJB when used within different EJB containers.

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Use of Low-Level Functionality (CWE-695)

ChildOf:

Incorrect Synchronization (CWE-821)

Taxonomy Mapping

Software Fault Patterns